Security in autonomic communication Shuping Liu Networking Lab HUT Contents Why autonomic? Why security? Security characteristic Security challenge Security solution Policy-based solution conclusion Why autonomic? Communication system becomes more complex, more interconnected, more dynamic and more tightly woven into our lives. Human resources involved in managing and administering them have grown rapidly and constitute a steadily larger fraction of the cost. Autonomic communication is aimed to be autonomous, managing their own evolution, performance, security and fault concerns without explicit user or administrator actions. Why security? (1/3) Why security? (2/3) Why security? (3/3) Security characteristic Autonomic communication will not create an entirely new security. All the traditional securities will arise in autonomic communication systems. Some in more complex and urgent form. Autonomic communication will give rise to unique security threats of their own. Security challenge New technologies and architectures, whose security implications are not yet well understood. Anomalous behavior caused by security compromises due to reduced human activities. Span different administrative domains Deal with a constantly changing set of other systems. Need flexible new methods for trust establishing, attack and compromise detecting, recovering. Deal with personal information. Need to obey privacy policies required by nation laws and business ethics. Security solution Software solution policy control (the details followed) access control autonomic distributed firewalls (ADF) … Hardware solution security enhanced chip multiprocessor … Policy-based solution(1/21) Security policy is the primary tool for security in autonomic communication. The unit of autonomic communication, generally referred to as “autonomic element”, is anticipated as follows, simple and of fixed function at small scales function dynamically at higher levels Policy-based solution(2/21) An autonomic element will involve two parts: function unit: perform whatever basic function the element provide management unit: oversees the operation of the functional unit Policy-based solution(3/21) Logical structural of an autonomic element Policy-based solution(4/21) Management unit carries with them, or otherwise has access to, policies that govern and constrain their behaviors at a comparatively high level task and state representations that functionally describe their current mission, strategy, and status at a lower level Policy-based solution(5/21) Some of the policies will be security policies Some of the task and state representations will also be relevant to the element’s security By explicitly representing both security policies and security-related tasks and states, autonomic elements will be able to automatically handle a wide range of security issues that are currently addressed by human Policy-based solution(6/21) Many autonomic communication systems span different administrative domains It is not enough for an autonomic element to ensure its own security Autonomic elements are capable of negotiating security and policy, and to gather and securely exchange the info. Another problem is trust-establishment, because autonomic element has less control over, and less complete and reliable info. about the element in other domain Policy-based solution(7/21) Hierarchy trust model Policy-based solution(8/21) Mesh trust model Policy-based solution(9/21) Bridge trust model Policy-based solution(10/21) Hybrid trust model Policy-based solution(11/21) Trust model based on Gateway CA’s Policy-based solution(12/21) Trust problem also exist between user and policy systems. How can we trust a policy system to make the best decision? Hoi Chan et. al. suggests a policy system with trust building tools Policy-based solution(13/21) Notations, ITI: instantaneous trust index, to each execution of each policy ITI = f (m1,m2,…), where m1,m2 … are weights assigned to each user modification, and 0<=ITI<=1 OTI:overall trust index, for a policy and reflects the level of trust that the user has in a particular policy or group of policies OTI = f1(ITI1,ITI2,…), where f1 is average function Policy-based solution(14/21) a policy system with trust building tools Policy-based solution(15/21) KB, knowledge base, uses the information, through some reinforcement learning algorithms, to adjust the behavior of the policy in a way to maximize the OTI. There are 3 modes of operation, Minimal trust (supervised) mode Partial trust (modify) mode Full trust (automatic) mode The user is able to place the system into one of these modes at will on a per-policy base. Policy-based solution(16/21) Minimal trust mode, start mode by default Policy generates the actions not executed the user exams the actions the user accepts, or propose his own actions, or denies return ITI by an expert-defined function KB actions As the policy system evolves to a point where OTI≈1, the user may change to next trust level for the policy Partial trust mode This mode is similar to Minimal mode. But in this case, user can only change the parameters, instead of actions. Full trust mode The policy system fully execute the actions without user intervention Policy-based solution(17/21) We should know that, the policies, and the task and state representation provide high-value targets to a potential attacker. Let us consider a scenario, the attacker insert a piece of code that causes the system to silently send him or her a copy of some important information at a particular email address at a particular time. Policy-based solution(18/21) In traditional communication system, the leak will stop if that email address becomes unavailable, or a network gateway blocks it. However, in an autonomic element, if the code is inserted as a policy piece, the autonomic element would then use every resource at its disposal to ensure that the information is delivered to the attacker. The attacker would have harnessed the element’s own ability to adapt to changing conditions and adopt new strategies for the purpose of stealing the desired information. Preventing such high-level subversion will be an important part of the security of autonomic systems. Policy-based solution(19/21) On the other hand, the security policies that govern an autonomic element can provide new levels of resistance to attack. Policy-based solution(20/21) data leak in traditional systems Policy-based solution(21/21) data leak in autonomic systems Conclusion No functioning system is perfectly secure, autonomic communication system will be no exception. The development of autonomic systems cannot be delayed until the final security solution is available, since it is impossible Recent advances, including autonomic intrusion detection systems, secure embedded processors, proactive security measures, and automated virus response, have taken some burden of security maintenance off overloaded system administrators. But there is much more which is waiting for us… Thanks! Any comments and questions?